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DETAILED ACTION 

1. This is in response to the communications filed on 20 December 2005. 

2. Claims 1-21 are pending in the application. 

3. Claims 1-21 have been rejected. 

Information Disclosure Statement 

4. The examiner has considered the information disclosure statements filed on 15 October 2003 
and 20 December 2005. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1-21 are rejected under 35 U.S.C. 102(e) as being anticipated by McClure et al 
U.S. 7,152,105 B2. 

As to claim 1, McClure et al discloses a computerized method for reducing the false 
alarm rate of network intrusion detection systems, comprising: 

receiving, from a network intrusion detection sensor, one or more data 
packets associated with an alarm indicative of a potential attack on a target host 
[column 17 line 29 to column 18 line 50]; 
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identifying characteristics of the alarm from the data packets, including at 
least an attack type and an operating system fingerprint of the target host [column 
17 line 29 to column 18 line 50]; 

identifying the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

comparing the attack type to the operating system type [column 17 line 29 
to column 18 line 50]; and 

indicating whether the target host is vulnerable to the attack based on the 
comparison [column 17 line 29 to column 18 line 50]. 
As to claims 2 and 17, McClure et al discloses storing the operating system fingerprint of 
the target host in a storage location for a time period [column 18, lines 20-42]. 

As to claims 3, 9 and 18, McClure et al discloses the computerized further comprising: 

monitoring a dynamic configuration protocol server [column 22, lines 32- 

67]; 

detecting that a lease issue has occurred for a new target host [column 22, 
lines 32-67]; 

accessing a storage location [column 22, lines 32-67]; 

determining whether an operating system fingerprint for the new target 
host already exists in the storage location [column 22, lines 32-67]; and 

if the operating system fingerprint for the new target host does exist, then 
purging the existing operating system fingerprint for the new target host from the 
storage location [column 22, lines 32-67]. 
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As to claims 4, 10 and 19, McClure et al discloses the computerized further comprising: 
monitoring a dynamic configuration protocol server [column 22, lines 32- 

67]; 

detecting that a lease expire has occurred for an existing target host 
[column 22, lines 32-67]; 

accessing a storage location [column 22, lines 32-67]; 

determining whether an operating system fingerprint for the existing target 
host already exists in the storage location [column 22, lines 32-67]; and 

if the operating system fingerprint for the existing target host does not 
exist, then disregarding the lease expire [column 22, lines 32-67]; and 

if the operating system fingerprint for the existing target host does exist, 
then purging the existing operating system fingerprint for the existing target host 
from the storage location [column 22, lines 32-67]. 
As to claims 5 and 20, McClure et al discloses the computerized further comprising: 

after receiving the data packets, determining whether a format for the 
alarm is valid [column 23, lines 26-52]; and 

if the format is not valid, then disregarding the alarm [column 23, lines 26- 
52]; otherwise 

if the format is valid, then continuing the computerized method with the 
identifying characteristics step [column 23, lines 26-52]. 
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As to claims 6, 11 and 21, McClure et al discloses automatically alerting a network 
administrator if the target host is vulnerable to the attack [column 17 line 29 to column 18 line 
50]. 

As to claim 7, McClure et al discloses a system for reducing the false alarm rate of 
network intrusion detection systems, comprising: 

a network intrusion detection system operable to transmit one or more data 
packets associated with an alarm indicative of a potential attack on a target host 
[column 17 line 29 to column 18 line 50]; 

a software program embodied in a computer readable medium, the 
software program, when executed by a processor, operable to: 

receive the one or more data packets [column 17 line 29 to column 
18 line 50]; 

identify characteristics of the alarm from the data packets, 
including at least an attack type and an operating system fingerprint of the 
target host [column 17 line 29 to column 1 8 line 50]; 

identify the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

compare the attack type to the operating system type [column 17 
line 29 to column 18 line 50]; and 

indicate whether the target host is vulnerable to the attack based on 
the comparison [column 17 line 29 to column 18 line 50]. 



Application/Control Number: 10/685,726 Page 6 

Art Unit: 2131 

As to claim 8, McClure et al discloses a storage location operable to store the operating 
system fingerprint of the target host for a time period [column 26, lines 25-35]. 

As to claim 12, McClure et al discloses that the software program has no knowledge of 
the protected network architecture [column 24, lines 50-67]. 

As to claim 13, McClure et al discloses that the software program has no access to the 
protected network [column 24, lines 50-67]. 

As to claim 14, McClure et al discloses that the NIDS is vendor independent [column 12, 
lines 30-49]. 

As to claim 15, McClure et al discloses that the NIDS does not support passive operating 
system fingerprinting [column 12, lines 30-49]. 

As to claim 16, McClure et al discloses a system for reducing the false alarm rate of 
network intrusion detection systems, comprising: 

means for receiving, from a network intrusion detection sensor, one or 
more data packets associated with an alarm indicative of a potential attack on a 
target host [column 17 line 29 to column 18 line 50]; 

means for identifying characteristics of the alarm from the data packets, 
including at least an attack type and an operating system fingerprint of the target 
host [column 17 line 29 to column 18 line 50]; 

means for identifying the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

means for comparing the attack type to the operating system type [column 
1 7 line 29 to column 1 8 line 50] ; and 
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means for indicating whether the target host is vulnerable to the attack 
based on the comparison [column 17 line 29 to column 18 line 50]. 
As to claim 20, McClure et al discloses the system further comprising: 

after receiving the data packets, means for determining whether a format 
for the alarm is valid [column 23, lines 26-52]; and 

if the format is not valid, then means for disregarding the alarm [column 
23, lines 26-52]. 
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Conclusion 



6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Aravind K Moorth; 
January 4, 2007 
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